Protect your Node.js apps at runtime – with Firewall
Automatically block critical injection attacks, introduce rate limiting for APIs, and monitor outbound traffic.
Open Core Alternative to
Datadog
AWS WAF
Cloudflare
Prevent OWASP Top 10 & Zero Day threats on autopilot
Firewall shields your Node.js app from a wide array of common threats.
SQL & NoSQL injection
Attempts to manipulate database queries for malicious purposes (data theft, unauthorized access, etc.), including protection for different database flavors like MySQL, MongoDB, Postgres, and more.
Command injection
Attacks that inject and execute arbitrary system commands on your server through user input.
SSRF attacks
Attacks where an attacker manipulates a server to make unintended requests to internal or external resources, potentially gaining unauthorized access to access keys for cloud servers.
Path traversal
Attempts to access unauthorized files or directories on your server by manipulating input fields or file paths.
Detect and block malicious user input automatically, with just 1 line of code.
You can test Firewall in dry mode and verify it works, so you don’t break your app.
Supports your tech stack
MySQL
MongoDB
Postgres
TypeORM
Sequelize
Firewall vs Traditional Web Application Firewalls (WAF)
Fully embedded
Unlike WAFs, Firewall runs inside your app as a JS library.
No complex agents to deploy.
No extra infrastructure or hardware.
No impact on your performance.
Runs in the background
Firewall analyzes data on the fly and blocks attacks automatically.
No more updating rulesets
No constant monitoring
No extra follow-up actions
Stop attacks in real-time
Firewall detects threats as your application runs and stops attacks in real-time, before they ever reach your database. No more endless patching or worrying about new vulnerabilities. Just install it once, and it handles the rest.
Way less false positives & negatives
Firewall is smarter than simple blocklists. It knows the difference between a malicious command and legitimate user input, so you get less false alarms and more peace of mind.
Use on your own – or upgrade with Aikido
Firewall is a new product from Aikido Security, the no-nonsense security platform for devs. One central platform that shows devs what matters and how to resolve it, so they can get back to building.
Aikido leverages dozen of open-source packages under the hood. So, we decided to build Firewall open-core.
You can totally use Firewall on your own, without an Aikido account.
But here are some sweet extra features you’ll get, if you use Aikido:
Block users by ID or IP
Spot a suspicious IP or user ID? One click and they're gone. No coding required.
Simple rate limiting
Sick of bots and leaky API endpoints? Set up rate limiting rules to throttle suspicious traffic.
Dashboard overview
Need a clean overview of all the attacks Firewall detects and blocks?
Plus, you get access to our all-in-one bundle of scanners for code & cloud security
FAQ
Right now, Firewall plays nicely with popular databases like MySQL, MongoDB, and PostgreSQL, and is compatible with ORMs like TypeORM and Sequelize. We're always adding support for more like Python and Ruby. Have a specific service in mind? Let us know, and we'll prioritize it.
Honestly, it's tiny. We're talking minuscule overhead for most apps. We're obsessed with performance and constantly benchmark Firewall to make sure it stays lightning fast. Need hard numbers for your use case? Just run some tests based on our benchmarks.
You're not on your own. We have a growing community of developers and security folks using Firewall. Don’t hesitate to open a GitHub issue – we're committed to making this project a success, and that includes support.
Seeing is believing. Firewall logs blocked attacks with all the juicy details: what the attack looked like, where it came from, etc. We're working on dashboards and integrations to make this info even more accessible.
Monkey-patching gets a bad rap. Done right, it's a clever and efficient way to add functionality. Aikido Firewall targets a very specific area of your code, monitoring all outgoing traffic to databases and 3rd party APIs. We've rigorously tested it to make sure it plays nice with common setups. We even tested with OpenTelemetry in the background, which didn't create any conflicts. Still worried? Try it in a test environment first.
Traditional WAFs are like security guards at the gate. They only see what comes in, not what goes on inside your building (your app). Aikido Firewall is the security guard inside, watching both the front door AND how people move around once they're in. Because it sees the whole picture – the user input AND your app's database requests – it can tell the difference between a legitimate (but weird-looking) customer and a thief trying to be sneaky. Less false alarms, less real threats slipping through.
We get it. It sounds too good to be true. Aikido Firewall's magic is in three things:
1) it is a library inside your app,
2) it monitors both incoming user input and outgoing connections (to databases or 3rd party services)
3) it doesn't rely on giant rule lists. This laser focus lets it protect you with almost zero performance overhead.
User tracking is fully optional and off by default. Should you choose to track users, and share personal identifiable information (PII) rather than just IDs, you will be required to list Aikido Security as a subprocessor.
We've implemented security best practices aligned with the highest standards.